Search for packages
| purl | pkg:pypi/aiohttp@3.10.11 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-d3pa-kwgz-vuag
Aliases: CVE-2025-69228 GHSA-6jhg-hg63-jvvf |
AIOHTTP vulnerable to denial of service through large payloads ### Summary A request can be crafted in such a way that an aiohttp server's memory fills up uncontrollably during processing. ### Impact If an application includes a handler that uses the `Request.post()` method, an attacker may be able to freeze the server by exhausting the memory. ----- Patch: https://github.com/aio-libs/aiohttp/commit/b7dbd35375aedbcd712cbae8ad513d56d11cce60 |
Affected by 10 other vulnerabilities. |
|
VCID-ft9z-nd6x-27dz
Aliases: CVE-2025-69225 GHSA-mqqc-3gqh-h2x8 |
AIOHTTP has unicode match groups in regexes for ASCII protocol elements ### Summary The parser allows non-ASCII decimals to be present in the Range header. ### Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch: https://github.com/aio-libs/aiohttp/commit/c7b7a044f88c71cefda95ec75cdcfaa4792b3b96 |
Affected by 10 other vulnerabilities. |
|
VCID-k122-7d38-2ug5
Aliases: CVE-2025-53643 GHSA-9548-qrrj-x5pj |
AIOHTTP is vulnerable to HTTP Request/Response Smuggling through incorrect parsing of chunked trailer sections ### Summary The Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ---- Patch: https://github.com/aio-libs/aiohttp/commit/e8d774f635dc6d1cd3174d0e38891da5de0e2b6a |
Affected by 8 other vulnerabilities. |
|
VCID-peyu-fxyx-ayde
Aliases: CVE-2025-69229 GHSA-g84x-mcqj-x9qq |
AIOHTTP vulnerable to DoS through chunked messages ### Summary Handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. ### Impact If an application makes use of the `request.read()` method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. ----- Patch: https://github.com/aio-libs/aiohttp/commit/dc3170b56904bdf814228fae70a5501a42a6c712 Patch: https://github.com/aio-libs/aiohttp/commit/4ed97a4e46eaf61bd0f05063245f613469700229 |
Affected by 10 other vulnerabilities. |
|
VCID-qrus-4szm-c3bj
Aliases: CVE-2025-69224 GHSA-69f9-5gxw-wvc2 |
AIOHTTP's unicode processing of header values could cause parsing discrepancies ### Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ------ Patch: https://github.com/aio-libs/aiohttp/commit/32677f2adfd907420c078dda6b79225c6f4ebce0 |
Affected by 10 other vulnerabilities. |
|
VCID-sjws-ddnq-fke2
Aliases: CVE-2025-69223 GHSA-6mq8-rvhq-8wgg |
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb ### Summary A zip bomb can be used to execute a DoS against the aiohttp server. ### Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c9138a |
Affected by 10 other vulnerabilities. |
|
VCID-t9gx-etxx-vkgb
Aliases: CVE-2025-69227 GHSA-jj3x-wxrx-4x23 |
AIOHTTP vulnerable to DoS when bypassing asserts ### Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. ### Impact If optimisations are enabled (`-O` or `PYTHONOPTIMIZE=1`), and the application includes a handler that uses the `Request.post()` method, then an attacker may be able to execute a DoS attack with a specially crafted message. ------ Patch: https://github.com/aio-libs/aiohttp/commit/bc1319ec3cbff9438a758951a30907b072561259 |
Affected by 10 other vulnerabilities. |
|
VCID-vqvz-jfqh-jkaz
Aliases: CVE-2025-69226 GHSA-54jq-c3m8-4m76 |
AIOHTTP vulnerable to brute-force leak of internal static file path components ### Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. ### Impact If an application uses `web.static()` (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. ------ Patch: https://github.com/aio-libs/aiohttp/commit/f2a86fd5ac0383000d1715afddfa704413f0711e |
Affected by 10 other vulnerabilities. |
|
VCID-zm3a-mf2z-xfcm
Aliases: CVE-2025-69230 GHSA-fh55-r93g-j68g |
AIOHTTP Vulnerable to Cookie Parser Warning Storm ### Summary Reading multiple invalid cookies can lead to a logging storm. ### Impact If the ``cookies`` attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. ---- Patch: https://github.com/aio-libs/aiohttp/commit/64629a0834f94e46d9881f4e99c41a137e1f3326 |
Affected by 10 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-q4yf-6qbe-5fee | aiohttp has a memory leak when middleware is enabled when requesting a resource with a non-allowed method ### Summary A memory leak can occur when a request produces a `MatchInfoError`. This was caused by adding an entry to a cache on each request, due to the building of each `MatchInfoError` producing a unique cache entry. ### Impact If the user is making use of any middlewares with `aiohttp.web` then it is advisable to upgrade immediately. An attacker may be able to exhaust the memory resources of a server by sending a substantial number (100,000s to millions) of such requests. ----- Patch: https://github.com/aio-libs/aiohttp/commit/bc15db61615079d1b6327ba42c682f758fa96936 |
CVE-2024-52303
GHSA-27mf-ghqm-j3j8 |
| VCID-zrgm-47ph-x3g3 | aiohttp allows request smuggling due to incorrect parsing of chunk extensions ### Summary The Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. ### Impact If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. ----- Patch: https://github.com/aio-libs/aiohttp/commit/259edc369075de63e6f3a4eaade058c62af0df71 |
CVE-2024-52304
GHSA-8495-4g3g-x7pr |